Skip to content

Add multi-tenant Databricks token support via cross-namespace K8s secrets#3394

Merged
machichima merged 2 commits into
flyteorg:masterfrom
rohitrsh:feat/databricks-token-support
Mar 10, 2026
Merged

Add multi-tenant Databricks token support via cross-namespace K8s secrets#3394
machichima merged 2 commits into
flyteorg:masterfrom
rohitrsh:feat/databricks-token-support

Conversation

@rohitrsh
Copy link
Copy Markdown
Contributor

@rohitrsh rohitrsh commented Feb 17, 2026
edited
Loading

Tracking issue

Related to flyteorg/flyte#6911

Why are the changes needed?

The Databricks Spark connector currently uses a single global FLYTE_DATABRICKS_ACCESS_TOKEN environment variable for authenticating all Databricks API calls. This creates significant limitations for multi-tenant Flyte deployments:

  1. No project isolation All projects share the same Databricks workspace/token, preventing fine-grained access control (e.g., Unity Catalog scoping per project).
  2. Token rotation requires redeployment Changing the token requires restarting the connector pod.
  3. Single workspace Organisations cannot route different projects to different Databricks workspaces.

This PR adds per-project Databricks token support by enabling the connector to read tokens from Kubernetes secrets in the workflow's project namespace, with backwards-compatible fallback to the existing environment variable.

What changes were proposed in this pull request?

Token Resolution Strategy

The connector now resolves Databricks tokens using a tiered strategy:

  1. Namespace-specific K8s secret Reads a secret (default name: databricks-token, key: token) from the workflow's Kubernetes namespace using cross-namespace lookup.
  2. Fallback to environment variable Falls back to FLYTE_DATABRICKS_ACCESS_TOKEN if no namespace secret is found.

Changes

connector.py:

  • Added get_secret_from_k8s(secret_name, secret_key, namespace) Cross-namespace K8s secret reader using the Kubernetes Python client. Tries in-cluster config first, falls back to kubeconfig for local development.
  • Added get_databricks_token(namespace, task_template, secret_name). Implements the token resolution strategy with structured logging and error handling.
  • Updated get_header() Now accepts an optional auth_token parameter.
  • Updated DatabricksJobMetadata Added auth_token field to persist the resolved token across create/get/delete operations.
  • Updated DatabricksConnector.create(). Now accepts task_execution_metadata parameter, extracts the namespace, and resolves the project-specific token.
  • Updated DatabricksConnector.get() / delete() Use stored auth_token from metadata.

task.py:

  • Added databricks_token_secret field to DatabricksV2 Allows users to specify a custom K8S secret name per task.
  • Updated get_custom() Serialises databricksTokenSecret into the task template custom dict.

User Experience

No changes needed for existing users Existing workflows continue to work with the global FLYTE_DATABRICKS_ACCESS_TOKEN.

New capability for multi-tenant setups:

# Create project-specific Databricks token
kubectl create secret generic databricks-token \
  --from-literal=token='dapi_project_specific_token' \
  --namespace=my-project-namespace
# Optional: Custom secret name per task
@task(
    task_config=DatabricksV2(
        databricks_conf={...},
        databricks_instance="your-instance.cloud.databricks.com",
        databricks_token_secret="my-custom-secret",  # Optional
    )
)
def my_task():
    ...

How was this patch tested?

Unit Tests (test_databricks_token.py)

30+ test cases covering:

get_secret_from_k8s:

  • Secret found successfully (mocked K8S client)
  • Secret not found (404)
  • Secret key missing
  • Secret data is None
  • Kubernetes package not installed (ImportError)
  • Non-404 API exceptions (403 forbidden)
  • Kubeconfig fallback when not in cluster
  • Both config methods fail gracefully

get_databricks_token:

  • Token from namespace secret
  • Token with custom secret name
  • Fallback to env var when namespace secret is missing
  • No namespace falls back to env var
  • No token from any source raises ValueError
  • Empty token raises ValueError
  • Default secret name verification
  • Backward compatibility (no namespace, no secret)

get_header:

  • With pre-resolved auth token
  • Without auth token (auto-resolution)

DatabricksJobMetadata:

  • Auth token persistence
  • Default None value

DatabricksConnector:

  • create() with namespace-specific token
  • create() with custom secret name
  • create() without metadata (backwards compatible)
  • Token stored in returned metadata
  • get() uses stored token
  • delete() uses stored token
  • get() with None token falls back to default

DatabricksV2 task config:

  • Token secret field exists
  • Defaults to None
  • get_custom() serializes databricksTokenSecret
  • get_custom() excludes field when None

Setup process

  1. Connector RBAC: Grant the connector's service account get permission on secrets across namespaces:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: flyte-connector-secret-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
    resourceNames: ["databricks-token"]
  1. Create namespace secrets:
kubectl create secret generic databricks-token \
  --from-literal=token='your-token' \
  --namespace=your-project-namespace

Screenshots

N/A (backend-only change)

Check all the applicable boxes

  • I updated the documentation accordingly.
  • All new and existing tests passed.
  • All commits are signed-off.

Related PRs

Docs link

N/A

@welcome
Copy link
Copy Markdown

welcome Bot commented Feb 17, 2026

Thank you for opening this pull request! 🙌

These tips will help get your PR across the finish line:

  • Most of the repos have a PR template; if not, fill it out to the best of your knowledge.
  • Sign off your commits (Reference: DCO Guide).

@rohitrsh rohitrsh mentioned this pull request Feb 17, 2026
Merged
3 tasks
@pingsutw
Copy link
Copy Markdown
Member

pingsutw commented Mar 4, 2026

lgtm, thank you! Could you fix the lint errors?

@rohitrsh rohitrsh force-pushed the feat/databricks-token-support branch from 7ceb06f to 9eef1e0 Compare March 4, 2026 19:48
@rohitrsh rohitrsh force-pushed the feat/databricks-token-support branch from 9eef1e0 to 048ed2e Compare March 5, 2026 09:42
@rohitrsh
feat(spark): Add multi-tenant Databricks token support via cross-name…
0cfa9c8 
…space K8s secrets

Enable per-project Databricks authentication by reading tokens from
Kubernetes secrets in workflow namespaces, with backward-compatible
fallback to the FLYTE_DATABRICKS_ACCESS_TOKEN environment variable.

Changes:
- Add get_secret_from_k8s() for cross-namespace K8s secret reading
- Add get_databricks_token() with tiered resolution (K8s -> env var)
- Update DatabricksJobMetadata to persist auth_token across lifecycle
- Update DatabricksConnector.create/get/delete to use per-project tokens
- Add DatabricksV2.databricks_token_secret for custom secret names
- Add 31 comprehensive tests covering all token resolution paths

Tracking: flyteorg/flyte#6911
Signed-off-by: Rohit Sharma <rohitrsh@gmail.com>
@rohitrsh rohitrsh force-pushed the feat/databricks-token-support branch from 048ed2e to 0cfa9c8 Compare March 5, 2026 10:57
@rohitrsh
Copy link
Copy Markdown
Contributor Author

rohitrsh commented Mar 5, 2026

lgtm, thank you! Could you fix the lint errors?

Hey @pingsutw, so here's what I have done to fix the lint issue.

Lint fix: Restored pydoclint-errors-baseline.txt

The lint CI was failing because pydoclint-errors-baseline.txt was empty on this branch. This file contains all pre-existing pydoclint violations across the flytekit repo (introduced in #3077), so they don't block new PRs.

Without the baseline, Pydoclint treated every pre-existing violation in the entire codebase as a new error, causing the failures in ruff, ruff-format, trailing-whitespace, and Pydoclint checks.

What was done:

  • Restored the baseline from master (591 lines)
  • pydoclint auto-regenerated it to 587 lines because our PR actually fixed 4 pre-existing violations the DatabricksV2 class docstring in task.py now properly documents all attributes (databricks_conf, databricks_instance, databricks_token_secret)
  • All new functions (get_secret_from_k8s, get_databricks_token, get_header) have proper Google-style docstrings with type hints zero new violations
  • Verified locally: make lint passes all checks (mypy + pre-commit)
$ make lint                 
mypy flytekit/core
Success: no issues found in 52 source files
mypy flytekit/types
Success: no issues found in 23 source files
mypy --allow-empty-bodies --disable-error-code="annotation-unchecked" tests/flytekit/unit/core
Success: no issues found in 102 source files
pre-commit run --all-files
ruff.....................................................................Passed
ruff-format..............................................................Passed
check yaml...............................................................Passed
fix end of files.........................................................Passed
trim trailing whitespace.................................................Passed
shellcheck...............................................................Passed
Check for exposed PDB statements.........................................Passed
codespell................................................................Passed
pydoclint................................................................Passed

machichima
machichima approved these changes Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@machichima machichima left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@rohitrsh rohitrsh force-pushed the feat/databricks-token-support branch 2 times, most recently from e13f8f9 to 1df2ae5 Compare March 10, 2026 19:15
@rohitrsh
Merge branch 'master' into feat/databricks-token-support
148e088 
Resolve merge conflicts in task.py after flyteorg#3392 (serverless) was merged:
- Combined DatabricksV2 attributes: kept all serverless fields, added
  databricks_token_secret
- Combined get_custom() serialization for both feature sets
- Added auth_token to serverless test metadata assertion
- Removed emoji from error message

Signed-off-by: Rohit Sharma <rohitrsh@gmail.com>
Made-with: Cursor
@rohitrsh rohitrsh force-pushed the feat/databricks-token-support branch from 1df2ae5 to 148e088 Compare March 10, 2026 19:56
@machichima machichima merged commit 6297a98 into flyteorg:master Mar 10, 2026
56 checks passed
@rohitrsh rohitrsh mentioned this pull request Apr 30, 2026
Open
rohitrsh added a commit to rohitrsh/flytekit that referenced this pull request Apr 30, 2026
@rohitrsh
feat(spark): unify Databricks connector auth with PAT, OAuth M2M, and…
ba19fbf 
… OIDC federation strategies

Databricks has marked Personal Access Tokens (PATs) as a legacy auth
method (https://docs.databricks.com/aws/en/dev-tools/auth/pat) and is
steering customers toward OAuth machine-to-machine (M2M) and OIDC
workload-identity federation. This change brings both modern auth modes
to the Flyte Databricks connector and refactors the existing PAT support
into a shared strategy module so all four modes resolve identically.

What is added:

* OAuth M2M (client credentials) using a per-namespace 'databricks-oauth'
  K8s secret with operator-level fallbacks via env vars.
* OIDC federation, Model 1: the connector pod's own projected JWT
  (e.g. EKS IRSA) is exchanged for a Databricks bearer token.
* OIDC federation, Model 2: per-workflow-namespace ServiceAccount discovery
  driven by labels and annotations on the SA. The connector mints a JWT via
  the Kubernetes TokenRequest API and exchanges it for a Databricks token.
  This preserves the existing per-namespace tenancy model that PAT
  customers rely on for Unity Catalog access.
* A unified DatabricksAuth strategy abstraction in 'databricks_auth.py'
  with auto-detection, per-strategy token caching, and token refresh on
  401 responses for long-running jobs.

What changes for existing PAT users:

* This PR refactors the PAT support that was added in
  flyteorg#3394 from a direct function call into a 'PATAuth'
  strategy that lives alongside the new modes. The behaviour, env vars,
  and per-namespace 'databricks-token' lookup are preserved end-to-end.
  Reviewers may want to read 'connector.py' and the new tests with this
  refactor in mind: PAT now flows through the same 'select_auth' resolver
  as the new modes so we have one extension point instead of two.
* Workflow code is unchanged. 'DatabricksV2' gains optional override
  fields for power users, but existing tasks keep working without edits.

Validation:

* 'pytest plugins/flytekit-spark/tests/test_databricks_auth.py
   plugins/flytekit-spark/tests/test_databricks_token.py
   plugins/flytekit-spark/tests/test_connector.py' passes (100 tests).
* End-to-end tested on an EKS test cluster against a real Databricks
  workspace for PAT, OAuth M2M, and OIDC Model 2.
* Pre-commit (ruff, ruff-format, codespell, pydoclint) clean on the
  changed plugin files.

Tracking: flyteorg/flyte#7319

Related:

* flyteorg#3394 (PAT multi-tenancy, refactored here)
* flyteorg#3392 (Databricks Serverless compute)
* flyteorg/flyte#6911 (original PAT multi-tenancy issue)

Signed-off-by: Rohit Sharma <rohitrsh@gmail.com>
@rohitrsh rohitrsh mentioned this pull request Apr 30, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pingsutw pingsutw pingsutw approved these changes

@machichima machichima machichima approved these changes

@wild-endeavor wild-endeavor Awaiting requested review from wild-endeavor wild-endeavor is a code owner

@kumare3 kumare3 Awaiting requested review from kumare3 kumare3 is a code owner

@cosmicBboy cosmicBboy Awaiting requested review from cosmicBboy cosmicBboy is a code owner

@samhita-alla samhita-alla Awaiting requested review from samhita-alla samhita-alla is a code owner

@davidmirror-ops davidmirror-ops Awaiting requested review from davidmirror-ops davidmirror-ops is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rohitrsh @pingsutw @machichima